HONG KONG MONETARY AUTHORITY 
F VE Sz E BE Jay 


Our Ref: B9/32C 


29 November 2013 


The Chief Executive 
All Authorized Institutions 


Dear Sir/Madam, 


Supervisory Policy Manual (SPM) 
Module IC-6 “The Sharing and Use of Consumer Credit Data through a Credit 
Reference Agency” 


This circular provides further guidance in respect of some issues related to positive 
mortgage data sharing arrangements that were identified during our thematic on-site 
examinations on a number of Authorized Institutions (Als) engaging in mortgage loan 
business. Als should take note of the guidance and review whether they have similar 
issues in their institutions, and if so, strengthen their existing controls, policies and 
procedures according to the guidance set out at Annex. 


In addition, I would also like to take this opportunity to remind all Als of the need to 
comply with the Personal Data (Privacy) Ordinance and any relevant code of practice and 
guidance in relation to the sharing and use of consumer credit data through a credit 
reference agency. 


Yours faithfully, 


Meena Datwani 
Executive Director (Banking Conduct) 
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Annex 


Policies and procedures 


Als generally have high-level policies and procedures in place on the sharing and use 
of consumer credit data. However, some Als did not have detailed adequate 
operational procedures on how to handle the following matters: 


e checking and reviewing the access log that records the instances of access to the 
credit reference agency (CRA) database; 


e handling of customers’ disputes over their credit data in the CRA database by the 
frontline staff and relevant back-end departments; 


e handling of potential breaches of the Code of Practice on Consumer Credit Data 
(Code), including incidents of improper access to the credit data in the CRA, and 
maintaining proper documentation of the breaches and incidents, investigations 
undertaken, results and actions taken (including escalation of breaches to senior 
management); 


e rectification of inaccurate data contributed to the CRA; and 


e updating the CRA database upon (i) full or partial repayment of amounts in 
default or written off, (ii) entering into schemes of arrangement with the 
borrowers, or (iii) final settlement of the amounts payable under schemes of 
arrangement, and handling of the customers’ requests for such updates. 


Als should review their policies and procedures and ensure the above operational 
procedures are adequately covered in their internal procedural manuals. As a related 
issue, Als should review and update their policies and procedures regularly to ensure 
that they remain appropriate in the light of changes in relevant legislation and 
regulations. 


Access control 


We observed that the management of some Als, in the assignment of duties related to 
the access of the CRA database, granted both an “Enquiry” (which allows online 
enquiry of an individual’s credit report) and an “Invalid Enquiry Suppression” right 
(which is used to cancel and reverse an enquiry record in the CRA system) to the 
same staff. In some instances, the designated staff were also assigned the role of 
reviewing the daily access log. This practice compromises the principle of 
segregation of duties and is not conducive to detection of unauthorised access to 
consumer credit data. Als should ensure that proper segregation of duties is in place 


ee 


to prevent any improper access to or mishandling of consumer credit data. Als 
should also monitor and verify regularly the appropriateness of the rights of 
designated staff to access the CRA database and ensure that access rights are granted 
on a need basis. As a related issue, Als should ensure that obsolete accounts for 
accessing the CRA database are removed in a timely manner. 


Compliance audit 


Some Als involved in the provision of consumer credit did not conduct a compliance 
audit annually. We would like to remind Als that under SPM IC-6 they should 
conduct a compliance audit at least annually. The audit report, which should assess 
the overall effectiveness of the data management practices in ensuring compliance 
with the Code and SPM IC-6, should be submitted to the AI’s Board or a designated 
authority for review. The report should cover issues like security breaches or 
violations, management’s response and recommendations for improvement. 


Staff trainin 


During our on-site examinations, we found cases where loan applicants had not fully 
completed their consent forms; a wrong account type code was used for reporting loan 
data to the CRA; and credit reports were mistakenly requested using a wrong enquiry 
purpose code. These findings suggest that the Als had not provided sufficient 
training to their staff members involved in the sharing and use of consumer credit data. 
Als are reminded to provide sufficient training to all relevant staff members to ensure 
they are familiar with the applicable requirements, as well as internal policies and 
procedures. 


Notification of access for considering mortgage loan application 


Clause 2.13 of the Code provides that where a credit provider has been provided with 
a credit report on an individual by a CRA and has considered such report in 
connection with an application for consumer credit by that individual, the credit 
provider shall, in its notification to the individual of its decision on the application, 
give notice of the fact that a credit report has been so considered. The credit 
provider is also required to inform the individual how to contact the CRA who 
provided the credit report, for the purpose of making access to a copy of the credit 
report for free under clause 3.18' and where appropriate, to make a data correction 
request under the Personal Data (Privacy) Ordinance. We noted that some Als: 


èe did not clearly indicate that a credit report has been so considered, and instead 


' Clause 3.18 of the Code provides that as a recommended practice, a CRA shall seek to respond 
promptly to a data access request without charge in respect of personal data held by it brought by an 
individual who advises that he has been refused credit by a credit provider to whom a credit report on 
him has been provided by the CRA. 


mee 


used vague phrases such as “the institution might obtain and consider a credit 
report from the CRA” in their notifications to customers; 


e did not indicate in their notifications to customers as to how they may contact the 
CRA to obtain a copy of the credit report for free under clause of 3.18 of the 
Code; 


@ in cases where loans approved by the institution were not accepted by the 
customers, did not give any notice to the loan applicants that the Als had 
considered the applicants’ credit reports in connection with their mortgage loan 
applications; and 


e did not give any notice as required under clause 2.13 to the staff members 
concerned for staff mortgage loans granted. 


Als should put in place proper controls and procedures to ensure that the notification 
and information required under clause 2.13 of the Code is provided to all relevant 
individuals whose credit reports were considered. Als should avoid vague phrases 
when notifying customers that a credit report has been obtained and considered. The 
relevant procedures should be documented properly and communicated to all relevant 
staff for implementation. 


Verification of mortgage count 


While Als generally have put in place procedures to verify the mortgage count and 
conduct follow up actions on loan applicants in case of any discrepancies, we 
observed that in some cases, Als did not maintain documentary evidence indicating 
that proper follow-up enquiries had been made with the applicants. Als are 
reminded that they should maintain proper documentation in this respect. 


Contribution of positive mortgage data to the CRA 


We observed that some mortgage loans booked under Commercial Banking 
Department of some Als were in fact held by personal borrowers and mortgagors, or 
shell companies with personal guarantee, and were not related to corporate lending or 
operating companies. These mortgage loans are within the scope of positive 
mortgage data sharing scheme. In this connection, we note the industry associations’ 
recommendation that AIs should not determine whether a mortgage loan is within the 
scope of positive mortgage data sharing scheme merely based on the name of the 
business unit under which the loan is booked, but should also look at the borrower of 
the loan. Als are reminded that they should participate as fully as possible in the 
sharing and use of positive mortgage data through the CRA within the framework laid 
down by the Code. 


